Changes between Version 5 and Version 6 of WikiStart


Ignore:
Timestamp:
May 17, 2013 11:35:06 AM (11 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • WikiStart

    v5 v6  
    110110Libabac allows developers to import signed ABAC statements about principals and attributes and prove that certain principals have those attributes ([http://groups.geni.net/geni/wiki/TIEDABACModel more detail about ABAC logic]).  The basic structures that libabac uses to support those operations are identities, attributes, and a context for those.
    111111
     112The [/browser/doc/API API document] lists all the interfaces to the library, but this section is intended to impart some meaning to the various structures.  The java interface is slightly different in detail, but uses the same constructs. 
     113
    112114
    113115=== Identities ===
     
    216218}}}
    217219
     220=== Contexts and Proofs ===
     221
     222An ABAC Context contains all the identities and assertions that are known in a specific authorization domain.  Given a Context, a programmer loads the identities that are trusted to issue attributes and the attributes.  A Context can load either of these from files or data chunks.  In python and perl data chunks are strings/scalars while in C and C++ they are simple structs.  IDs and Attributes export the {{{cert_chunk}}} method to support the translation.  Here is an example of generating credentials and loading them into the a Context.   This shows the A principal loading the ({{{A.friendly_admin <- A.friendly & A.admin}}} Attribute and then assigning {{{friendly}}} and {{{admin}}} attributes t identity B and C.
     223
     224{{{
     225import ABAC
     226
     227ctxt = ABAC.Context()
     228
     229a = ABAC.ID("A", 24 * 3600 * 365 * 20)
     230b = ABAC.ID("B", 24 * 3600 * 365 * 20)
     231c = ABAC.ID("C", 24 * 3600 * 365 * 20)
     232
     233attr = ABAC.Attribute(a, "friendly_admin", 24 * 3600 * 365 * 20)
     234attr.role(a.keyid(), "friendly")
     235attr.role(a.keyid(), "admin")
     236attr.bake()
     237
     238ctxt.load_id_chunk(a.cert_chunk())
     239ctxt.load_attribute_chunk(attr.cert_chunk())
     240
     241attr = ABAC.Attribute(a, "friendly", 24 * 3600 * 365 * 20)
     242attr.principal(b.keyid())
     243attr.bake()
     244ctxt.load_attribute_chunk(attr.cert_chunk())
     245
     246
     247attr = ABAC.Attribute(a, "admin", 24 * 3600 * 365 * 20)
     248attr.principal(b.keyid())
     249attr.bake()
     250ctxt.load_attribute_chunk(attr.cert_chunk())
     251
     252attr = ABAC.Attribute(a, "admin", 24 * 3600 * 365 * 20)
     253attr.principal(c.keyid())
     254attr.bake()
     255ctxt.load_attribute_chunk(attr.cert_chunk())
     256
     257}}}
     258
     259Asking the question is done using {{{ctxt.query()}}}.  The following asks if b is an A.friendly_admin:
     260
     261{{{
     262# Same code as above to initialize the ids and load the context
     263
     264ok, proof = ctxt.query(a.keyid() + ".friendly_admin", b.keyid())
     265
     266}}}
     267
     268The first parameter to {{{Context.query}}} is the attribute of interest and the second is the keyid of an identity.  A tuple is returned holding (success, proof) where success is true if the identity has the attribute and proof is a list of abac statements that make up the proof.
     269
     270=== Credentials and Roles ===
     271
     272Credentials are the abstraction of ABAC statements and Roles are the abstraction of the terms of an ABAC statement.  A Credential is made up of two Roles, a head and a tail that make the two sides of the ABAC statement.  There are a set of  accessors to parse the contents of a role, described in the [/browser/doc/API API docs], and roles are primarily of interest in printing and exploring the proof.
     273
     274Credentials are useful in communicating proof contents outside the program.  In addition to {{{head}}} and {{{tail}}} accessors that access the Roles, a Credential has a {{{attribute_cert()}}} method that returns the exportable content of the assertion and an {{{issuer_cert()}}} that returns the issuer's X.509 certificate (sans private key).  These outputs are chunks, useful for writing to files or importing into other contexts.  The following code prints the proof of our earlier successful question and saves it to files.  This is not exemplary python file handling, but the point is to see the accessors:
     275
     276{{{
     277import sys
     278# Same code as above to initialize the ids and load the context
     279
     280ok, proof = ctxt.query(a.keyid() + ".friendly_admin", b.keyid())
     281
     282if not ok:
     283    sys.exit(1)
     284
     285for i, c in enumerate(proof):
     286    print "%s <- %s" % (c.head().string(), c.tail().string())
     287    open("./id%d.pem" % i, "w").write(c.issuer_cert())
     288    open("./attr%d.xml" % i, "w").write(c.attribute_cert())
     289}}}
     290
     291
     292
    218293== Contacts ==
    219294